Vulnerability Description
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Geosolutionsgroup | Geonode | >= 3.2.0, <= 4.1.2 |
Related Weaknesses (CWE)
References
- https://github.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499Patch
- https://github.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mrExploitThird Party Advisory
- https://github.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499Patch
- https://github.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mrExploitThird Party Advisory
FAQ
What is CVE-2023-40017?
CVE-2023-40017 is a vulnerability with a CVSS score of 7.5 (HIGH). GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly prot...
How severe is CVE-2023-40017?
CVE-2023-40017 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40017?
Check the references section above for vendor advisories and patch information. Affected products include: Geosolutionsgroup Geonode.